Skip to content

Commit

Permalink
Fix AccessMonitoringRule ACL (#43980)
Browse files Browse the repository at this point in the history 
Signed-off-by: Lisa Kim <[email protected]>
Co-authored-by: Carlos Castro <[email protected]>
  • Loading branch information
@kimlisa @carloscastrojumo
kimlisa and carloscastrojumo authored Jul 10, 2024
1 parent 988fea6 commit 95096dc
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 2 deletions.
3 changes: 1 addition & 2 deletions lib/services/useracl.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,7 @@ func NewUserACL(user types.User, userRoles RoleSet, features proto.Features, des
dbAccess := newAccess(userRoles, ctx, types.KindDatabase)
kubeServerAccess := newAccess(userRoles, ctx, types.KindKubeServer)
requestAccess := newAccess(userRoles, ctx, types.KindAccessRequest)
accessMonitoringRules := newAccess(userRoles, ctx, types.KindAccessMonitoringRule)
desktopAccess := newAccess(userRoles, ctx, types.KindWindowsDesktop)
cnDiagnosticAccess := newAccess(userRoles, ctx, types.KindConnectionDiagnostic)
samlIdpServiceProviderAccess := newAccess(userRoles, ctx, types.KindSAMLIdPServiceProvider)
Expand Down Expand Up @@ -198,11 +199,9 @@ func NewUserACL(user types.User, userRoles RoleSet, features proto.Features, des

var auditQuery ResourceAccess
var securityReports ResourceAccess
var accessMonitoringRules ResourceAccess
if accessMonitoringEnabled {
auditQuery = newAccess(userRoles, ctx, types.KindAuditQuery)
securityReports = newAccess(userRoles, ctx, types.KindSecurityReport)
accessMonitoringRules = newAccess(userRoles, ctx, types.KindAccessMonitoringRule)
}

return UserACL{
Expand Down
2 changes: 2 additions & 0 deletions lib/services/useracl_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ func TestNewUserACL(t *testing.T) {
require.Empty(t, cmp.Diff(userContext.Tokens, denied))
require.Empty(t, cmp.Diff(userContext.Nodes, denied))
require.Empty(t, cmp.Diff(userContext.AccessRequests, denied))
require.Empty(t, cmp.Diff(userContext.AccessMonitoringRule, denied))
require.Empty(t, cmp.Diff(userContext.ConnectionDiagnostic, denied))
require.Empty(t, cmp.Diff(userContext.Desktops, allowedRW))
require.Empty(t, cmp.Diff(userContext.ExternalAuditStorage, denied))
Expand Down Expand Up @@ -152,6 +153,7 @@ func TestNewUserACLCloud(t *testing.T) {
require.Empty(t, cmp.Diff(userContext.Tokens, allowedRW))
require.Empty(t, cmp.Diff(userContext.Nodes, allowedRW))
require.Empty(t, cmp.Diff(userContext.AccessRequests, allowedRW))
require.Empty(t, cmp.Diff(userContext.AccessMonitoringRule, allowedRW))
require.Empty(t, cmp.Diff(userContext.DiscoveryConfig, allowedRW))
require.Empty(t, cmp.Diff(userContext.ExternalAuditStorage, allowedRW))
require.Empty(t, cmp.Diff(userContext.Bots, allowedRW))
Expand Down

0 comments on commit 95096dc

Please sign in to comment.